Cisco ASA Series Cli Configuration Manual page 1122

HTTP Inspection
The latter two features are configured in conjunction with the filter command. For more information
about filtering, see
The enhanced HTTP inspection feature, which is also known as an application firewall and is available
when you configure an HTTP map (see
Inspection
security policy. It verifies the following for all HTTP messages:
•
•
•
Configuring an HTTP Inspection Policy Map for Additional Inspection
Control
To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can
then apply the inspection policy map when you enable HTTP inspection.
Note
When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action
reset and log is enabled by default. You can change the actions performed in response to inspection
failure, but you cannot disable strict inspection as long as the inspection policy map remains enabled.
To create an HTTP inspection policy map, perform the following steps:
Step 1
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
"Creating a Regular Expression" section on page
commands described in
Step 2
(Optional) Create one or more regular expression class maps to group regular expressions according to
the
Step 3
(Optional) Create an HTTP inspection class map by performing the following steps.
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map. You can alternatively identify match commands directly in the policy map. The difference
between creating a class map and defining the traffic match directly in the inspection policy map is that
the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string "example.com," then any traffic that includes "example.com"
does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection,
reset, mask, set the rate limit, and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly
in the policy map.
a.
Cisco ASA Series CLI Configuration Guide
1-16
Chapter 1, "Configuring Filtering Services."
Control"), can help prevent attackers from using HTTP messages for circumventing network
Conformance to RFC 2616
Use of RFC-defined methods only.
Compliance with the additional criteria.
Step 3.
"Creating a Regular Expression Class Map" section on page
Create the class map by entering the following command:
hostname(config)# class-map type inspect http [match-all | match-any] class_map_name
hostname(config-cmap)#
Chapter 1 Configuring Inspection of Basic Internet Protocols
"Configuring an HTTP Inspection Policy Map for Additional
1-14. See the types of text you can match in the match
1-17.